Cyber Defense Laboratory
Intrusion Alert Correlator (Version 0.2)
This tool is designed to correlate the alerts reported by commercial Intrusion Detection System (IDS) using the prerequisites and consequences of hyper alerts defined in knowledge base. The tool is written in Java.
The current release is an offline tool interacted with DBMS.
This tool has been tested in Windows 2000 with MS SQL server.
Please try version 1.0.
Test Data and Execution Procedure
1. Download this sql statement and execute it in the database to create a target table "events";
2. Download any of these alert datasets [scenario 1 (dmz, inside), scenario 2 (dmz, inside)] generated by RealSecure, the data source is DARPA evaluation dataset 2000. You can import it into MS SQL server with the command "bulk insert events from 'file path' with (FIELDTERMINATOR=',');";
4. Download the sample property file, name it "Correlator.properties" and make some configuration changes (change the dbDriver and dbURL and various file paths: knowledge base path, Original_Graph_Output, ...);
5. Run the tool using the command "java Correlator -Correlation userName password";
6. Using GraphViz to generate the graphs (dot -Tps darpa_dmz1.txt -o outputFile.ps). The file name "darpa_dmz1.txt" is specified in "Correlator.properties".
Checklist before you run this tool
· Xerces Java Parser v1.4.1 (You can get it from Apache's website.)
· GraphViz (You can get it from ATT's website. )
· Installation & Operation Manual [pdf]
· Java API for this tool can be found here.
· Peng Ning, Yun Cui, Douglas S. Reeves, "Constructing Attack Scenarios through Correlation of Intrusion Alerts," To appear in the 9th ACM Conference on Computer & Communications Security, Washington D.C., November 2002. (Full Version)
· Peng Ning, Yun Cui, Douglas S. Reeves, "Analyzing Intensive Intrusion Alerts Via Correlation," To appear in Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (RAID 2002), Zurich, Switzerland, October 2002.
· Dr. Peng Ning
· Yun Cui
© 2002 Yun Cui, Last Updated 10/23/2002